I set up Dependabot to update Python dependencies managed by uv.
Basic setup Link to heading
Create .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
groups:
python-packages:
patterns:
- "*"
The groups section batches updates into single PRs - much better than 20 individual PRs.
My grouping strategy Link to heading
I typically group by risk level:
groups:
# Low risk - merge without much review
minor-and-patch:
patterns:
- "*"
update-types:
- "minor"
- "patch"
# Higher risk - review more carefully
major:
patterns:
- "*"
update-types:
- "major"
This gives me one PR for minor updates (usually safe to merge) and separate PRs for major version bumps (need changelog review).
Regenerating uv.lock Link to heading
For uv specifically, Dependabot reads pyproject.toml but doesn’t update uv.lock. Add this to your CI:
- name: Update lockfile
run: |
uv lock
git diff --exit-code uv.lock || echo "::warning::uv.lock needs updating"
Reviewing Dependabot PRs Link to heading
My process:
- Check CI passes (obvious)
- Skim the changelog for breaking changes
- For major updates: read migration guides
- Merge minor/patch updates quickly, don’t let them pile up
Other options Link to heading
Ignore certain packages:
ignore:
- dependency-name: "some-package"
update-types: ["version-update:semver-major"]
Open PRs against a specific branch:
target-branch: "develop"
Limit open PRs:
open-pull-requests-limit: 5
Further reading Link to heading
- Dependabot configuration options - all available settings